This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bill_Ng
Collaborator
‎2020-08-27 07:04 AM

BDPU/Spanning Tree issue

All,

We are running into an issue where our Cisco switch port goes into err-disable due to BPDU guard.  It only happens on this one port which is a trunk.  This is a VSX FW cluster running multiple VSs.  It only happens to one particular VS instance.  We also are running VMACs as well on the cluster.  This seems to occur at random times and between the active and standby nodes.    eth1-04 is the interface in questions.  It is a 10gb connection.

Sync UP sync(secured), broadcast
eth1-03 UP non sync(non secured), multicast
eth2-08 UP non sync(non secured), multicast
eth1-04 UP non sync(non secured), multicast (eth1-04.112)

Any ideas/help on trying to troubleshoot this from a FW perspective?

Thanks,

Bill

0 Kudos
5 Replies
John_Fleming
Advisor
‎2020-08-27 03:21 PM

Is there a virtual switch between the VS and the cisco switch or is it just a virtual firewall connected to that vlan interface? I'm a bit rusty on VSX FYI.

Bill_Ng
Collaborator
‎2020-08-28 05:21 AM
In response to John_Fleming

There is no virtual switch involved.  This is just a single 10gb connection assigned to the VS setup as a trunk.  It is directly hooked up to a Cisco 9K.

0 Kudos
Gertjan
Explorer
‎2021-08-12 11:30 PM

Hi Bill,

Did you manage to solve this issue, i was wondering if you did because we have this problem also and are a bit in the dark why this is happening. :S

Daniel_Cimpeanu
Collaborator
‎2024-05-30 04:49 AM
In response to Gertjan

I'm running into the same issue as well, haven't yet found a concludent solution.

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2024-06-01 08:57 AM

Not to be trite, but BPDU guard  means the switch is seeing a spanning-tree BPDU come in on a port where none is expected.  Your switch is likely configured with "spanning-tree portfast bpduguard default".  For trunk ports, you may also have "spanning-tree portfast trunk", unless you have bpduguard per-port.

Are you seeing BPDUguard on ALL VLANs of the trunk port, or just certain VLANs?  This would help you determine the exact cause:

show spann int TeX/Y/Z

Are you running VS in active-active bridge mode?   This will emit 802.1d frames.  VMACs won't cause BPDUguard, tho.

You can see details of spanning-tree on the port with "show spann int TeX/Y/Z details" to get some idea of what's coming into the port.  If you have a port-channel, and you're only seeing BPDUguard on a single port of the bundle, then you have a port configuration mismatch.

If, for some reason you NEED to have BPDUs through this port, you can still allow them but not allow a lower priority BPDU:

int TeX/Y/Z
spanning-tree bpduguard disable
spanning-tree guard root

If you are using Active/Active Bridge mode VS, then this is the config you on your port.   Root guard will prevent your spanning tree topology from pivoting towards a new lower priority, or lower bridge ID, root bridge.  Which would be terrible

You *DO* want to take care of your spanning tree topology, however.  I presume you understand STP enough to set your preferred primary and secondary root bridges on your network.   Make sure your root is where you think it is.

Lemme know if you have any questions with it.

Good luck!

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events